[j_coder]

What I don't understand is why the kernel patches and microcode updates are still been worked out today. They had 6 months to work on it.

No secret channel to communicate with Linux Kernel developers? No coordinated effort? Last minute findings?

On this thread https://lkml.org/lkml/2018/1/4/174 looks like that the author is disclosing the info on the last minute.

[Pyxl101]

I was wondering the same thing earlier. This doesn't feel like a disclosure that's had anywhere near ~6 months put into it.

Did the vendors ignore the disclosure initially and begin to change tactics later in the game? Based on how certain vendors have been characterizing this in their PR, I wouldn't be surprised if they didn't take the problem seriously originally.

[mook]

The Ubuntu page that was on HN earlier [] claims that they were notified in early November. I have no idea if kernel people (as opposed to distro people) got notified earlier.

[]: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAn...

[MertsA]

Especially microcode updates. Microcode is just a giant obscure binary for everyone outside of Intel. If there was a mitigation possible via a microcode update this could have been published months before disclosure without any meaningful risk.

[geezerjay]

IIRC Intel employs people to work on the linux kernel on behalf oh Intel. Either Intel fumbled or it isn't that easy to circumvent the problem plaging Intel's processors with a software hack.

[hinkley]

Or, they were holding out hope for a workaround that didn't make the entire Cloud 20% slower and they couldn't make it work.

[yndoendo]

Code for the solution and then code for performance. Direct performance coding is a bad return on investment.

First prove it works and then prove it can be made better and faster ...

[hinkley]

That’s easy for you to say. You’re not the person having to admit to a billion dollar mistake.

Everybody stalls for time when the stakes are this high. How long can I reasonably spend tying to turn this into a small problem before I have to go public with it?

Saying it’s a bigger problem than it turns out to be is a PR nightmare of its own. If there was a cheap fix then you cried wolf and killed your reputation just as dead.

[effie]

Exactly this. Apparently, the details of the attack have been published in official paper(s) before the security teams of major OSes could prepare and make publicly available mitigating patches for the users. There is no patch for Debian 8.0 (Jessie), or for Qubes OS, for example.

The chatter is all about how CPU manufacturers screwed up, but there is a much more alarming issue here, I think: the apparent irresponsibility of the people who published the flaws before the security teams and the users could mitigate them. Perhaps there was a reason for accelerated public disclosure, but so far this makes no sense to me.